Force the Spammers Onto
Official Servers"> Even if the zombie successfully is able to send spam through the ISP mail server, were still better off than before. The ISP can tell, just by looking at mail server logs, who is spamming from its network. ISPs have a cost interest in fixing the situation and arguably are more responsible for doing so since their own servers were involved. Put simply, forcing the spammer onto the ISP mail server facilitates the elimination of zombies. It also gives the ISP the opportunity to rate-limit mail in general, which will not likely affect regular users, but will seriously cut into spammers ability to spread the message. I have a similar reaction to St. Sauvers speculation that zombies, blocked in their ability to send spam, will instead be used for even worse things like denial-of-service attacks. This is not hard to imagine, but while much of the world puts up with systems sending spam, they would feel different about a DOS army. And I cant see that the market for DOS armies scales in the same way that the spam market does. Its just not as big a threat.While most of his writing is laboriously pessimistic, St. Sauver does have interesting constructive criticism. He urges those who would fight spam to focus not on the spam leaving the network but on the traffic coming in to the spambot. He asserts (this is counter to my understanding) that spambots dont typically construct the e-mails they send out programmatically but pass on what they receive from the outside. Whether this is true or not is beside the valid point he makes that it should be possible to look for the command/control coming into the network from spammers. While these commands come in on nonstandard ports, they are known (they have to be, or spammers couldnt find them either). Finally, for all their claims that easy alternatives exist to port 25, they havent come up with any. The first port usually listed is TCP 587, but like many of the potential alternatives, its an authenticated port, so its not blindly open for spamming use. In the end, the biggest factor in whether ISPs will play hardball with spammers is whether they want to have to go to the problem of taking out the garbage and keeping their place clean. Some ISPs have complained to me about others who dont seem to care if their networks are used to send out billions of spam messages and mail worms. They dont even look at their own log files! But the day is coming when these ISPs wont be able to coast through their own laziness and sloppiness. The use of RBLs like MAPS and other blocks of known spammer systems is an increasingly important technique, and if worms really do move to using the ISP mail server, then ISPs who dont do anything about it will find themselves blocked completely by the clean ISPs that are sick and tired of taking abuse. I dont expect everyone to clean up their act, but think were moving to an era of unofficial quality standards, of black and white lists, where ISPs will "protect" their customers from the red-light districts of the Internet. Its not perfect, but its better than what weve got now. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
He also points out that spammers could still evade blocks on port 25 at the network periphery by spamming inside the networke.g., to other customers of the same ISP on their subnet. Of course, they will only be able to do so if the recipient mail server is on the same subnet, and this is highly unlikely on a large consumer ISP network.